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IN THE CLAIMS 

Please amend the claims as follows: 

1 . (Currently Amended) A method comprising: 

receiving at least one protocol state machine definition for a network protocol, said 
protocol state machine definition including a plurality of protocol state rules; 

parsing the at least one protocol state machine definition to form a set of parsed protocol 
state rules, said parsed protocol state rules including at least one condition and at least one action 
associated with the condition; 

storing a set of filters in a filter database; 

receiving a network flow, said flow including a plurality of packets; and 
applying the parsed protocol state rules to the plurality of packets in the network flow; 
wherein the at least one action comprises the instantiation of a filter for the network flow 
from the set of filters. 

2. (Original) The method of claim 1, wherein the protocol state rules include rules for analyzing 
a context for the network flow. 

3. (Original) The method of claim 2, wherein the context for the network flow includes an 
application layer context. 

4. (Original) The method of claim 1 wherein the filter comprises a dynamic filter that is 
instantiated for the duration of the network flow. 

5. (Original) The method of claim 1, wherein the filter comprises a static filter that is applied 
during an initiation of the network flow. 
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6. (Original) The method of claim 1, wherein the at least one action comprises saving the result 
of the at least one action for use in a later executed rule in the set of parsed protocol state rules. 

7. (Currently Amended) The method of claim [[1]] 6, further comprising maintaining an 
expected state for the network flow utilizing the saved result wherein the at leapt one action 
oompriooo deactivating a rule in the oot of parood protocol otato ruloo . 

8. (Original) The method of claim 1, wherein the at least one action comprises activating a rule 
in the set of parsed protocol state rules. 

9. (Currently Amended) A system comprising: 

a parser operable to parse at least one protocol state machine definition for a network 
protocol to a set of parsed protocol state rules, said protocol state machine definition including a 
plurality of protocol state rules, said parsed protocol state rules including at least one condition 
and at least one action associated with the condition; 

a filter database operable to store a set of filters in a filter database; and 
a protocol analysis engine operable to receive a network flow, said flow including a 
plurality of packets; and apply the parsed protocol state rules to the plurality of packets in the 
network flow; 

wherein the at least one action comprises the instantiation of a filter for the network flow 
from the set of filters. 

10. (Original) The system of claim 9, wherein the protocol state rules include rules to analyze a 
context for the network flow. 



1 1 . (Original) The system of claim 10, wherein the context for the network flow includes an 
application layer context. 
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12. (Original) The system of claim 9 wherein the filter comprises a dynamic filter that is 
instantiated for the duration of the network flow. 

13. (Original) The system of claim 9, wherein the filter comprises a static filter that is applied 
during an initiation of the network flow. 

14. (Original) The system of claim 9, wherein the at least one action comprises saves the result 
of the at least one action for use in a later executed rule in the set of parsed protocol state rules. 

15. (Currently Amended) The system of claim [[8]] 9, wherein the at least one action deactivates 
a rule in the set of parsed protocol state rules. 

16. (Original) The system of claim 9, wherein the at least one action comprises activates a rule 
in the set of parsed protocol state rules. 

17. (Original) The system of claim 9, wherein the protocol analysis engine is further operable to 
maintain a state table for the network flow. 

18. (Currently Amended) A tangible machine readable medium having storing machine 
executable instructions for performing a method comprising: 

receiving at least one protocol state machine definition for a network protocol, said 
protocol state machine definition including a plurality of protocol state rules; 

parsing the at least one protocol state machine definition to form a set of parsed protocol 
state rules, said parsed protocol state rules including at least one condition and at least one action 
associated with the condition; 

storing a set of filters in a filter database; 

receiving a network flow, said flow including a plurality of packets; and 
applying the parsed protocol state rules to the plurality of packets in the network flow; 
wherein the at least one action comprises the instantiation of a filter for the network flow 
from the set of filters. 
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19. (Original) The machine readable medium of claim 18, wherein the protocol state rules 
include rules for analyzing a context for the network flow. 

20. (Original) The machine readable medium of claim 19, wherein the context for the network 
flow includes an application layer context. 

21. (Original) The machine readable medium of claim 18 wherein the filter comprises a 
dynamic filter that is instantiated for the duration of the network flow. 

22. (Original) The machine readable medium of claim 18, wherein the filter comprises a static 
filter that is applied during an initiation of the network flow. 

23. (Original) The machine readable medium of claim 18, wherein the at least one action 
comprises saving the result of the at least one action for use in a later executed rule in the set of 
parsed protocol state rules. 

24. (Original) The machine readable medium of claim 18, wherein the at least one action 
comprises deactivating a rule in the set of parsed protocol state rules. 

25. (Original) The machine readable medium of claim 18, wherein the at least one action 
comprises activating a rule in the set of parsed protocol state rules. 



